[Bro] Log all client cipher suites

Harrison, Daniel (US SSA) daniel.harrison4 at baesystems.com
Sun Jan 18 09:12:51 PST 2015

I am trying to write a script to log all client_hello cipher suites to the
ssl log, preferably in the ascii hex format as they look in the pcap. I
hacked up a similar script and got it to create the log entry but the column
shows only (empty). Any idea on how to do this? Thanks.




@load base/protocols/ssl/main

module SSL;


export {

                redef record Info += {

                                ciphers:  vector of string &log &optional;


                ## A boolean value to determine if client headers are to be

                const log_ciphers = T &redef;


event ssl_client_hello(c: connection, version: count, possible_ts: time,
client_random: string, session_id: string, ciphers: index_vec)


                if ( ! c?$ssl )


                                if ( log_ciphers )


c$ssl$ciphers = vector();











Scott Harrison

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/110b5cf7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6727 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20150118/110b5cf7/attachment-0001.bin 

More information about the Bro mailing list